Everything you've ever posted becomes public from tomorrow

As I sit here, ironically just wrapping up a privacy conference, scrolling my Facebook wall, I am seeing dozens of posts from smart, professional, aware people, all posting an apparent disclaimer to Facebook in an attempt to protect their personal privacy from the new Facebook privacy policy. This disclaimer, known as UCC 1 1-308-308 1-103 and the Rome Statute, is in fact a hoax. It first surfaced in 2012 but is making the rounds again. The post encourages users to share a Facebook status which allows them to be immune from Facebook sharing any of their data uploaded to their platform.

As I read my Facebook wall - I realized this isn’t new, these disclaimers had the same tone as the old chain letters, which had the stark warning, “DEADLINE tomorrow.” I suddenly got flashbacks to 1980 when my mother would walk in the door, her face full of terror, after checking the mail, holding a chain letter in her hand. She would sit down on the dining room table frantically writing the same letter over and over to make sure our family avoided famine. This Facebook hoax is the 2016 version of the chain letter– minus the hand cramps.

My first reaction, as a privacy professional, is to scream at my screen. The second reaction is to write on every single one of their walls and explain the concept of opt-in vs. opt-out and the use of Facebook privacy settings. My third reaction, after my initial annoyance subdued, was to educate; educating Facebook users about what level of privacy they should expect from a platform like Facebook.

In our society today, we fortunately have a heightened awareness of personal privacy online - we care about what people and organizations do with our personal data. This is especially true in the post-Snowden era. Yet, our urge is to share, over share, it is a human instinct. We sternly tell our children and our employees “think before you post on social media … anything you post today can be seen years from now” and “nothing is deleted in the technology era.” We question the government when there is a breach and we diligently check our credit reports to make sure we were not victims of identity theft. This increased awareness of security and privacy is borne out by industry analysts like Forrester who have seen a sea change in attitudes towards privacy, as people become more aware of the issues surrounding the sharing of personal data on social platforms. This Facebook “chain-disclaimer” proves how passionate the public is about their privacy.

However, there still lacks a fundamental understanding of online privacy since many educated people believe that you can share, share, share, but by simply pasting a short statement they will be fully protected. This then, leaves us with a question. Why doesn’t the mainstream user understand privacy? There are a number of reasons why this may be the case. I have attempted to highlight some of them here, from a technical viewpoint but I am sure sociologists, anthropologists and psychologists could offer more insights.

Privacy policies are only for the lawyers. Privacy and the policies that shore privacy up are written in legalese that the average person cannot understand. If you are like most people, you click through those policies, hitting, next, next and next until you see submit so you can go on your merry way of using your new program, software, or service. I look forward to the day when companies offer an abridged version of their privacy policy to really understand what you are agreeing to. However, on the positive side, there have been a number of campaigns by industry leaders, such as the International Association of Privacy Professionals (IAPP) that are encouraging a more user friendly language approach to privacy policy writing, so those CliffsNotes may not be too long off.

Opt-in and opt-out isn’t as clear as it should be. In good privacy policy best practice, the advisory is to always offer opt in. However, the U.S. is an “uncheck the box” Companies will always have the box checked for you and let’s face it, we all skim through text and we don’t read the fine print, in which case you’ll probably have opted into getting a wide variety of communication that effectively becomes spam.

Breaches get a lot of media attention – but prevention isn’t top of an individual’s mind. We need more education on how to protect our personal data and understand who has access and what can be done with that data.

So what can you do to be a good digital citizen?

Mostly it’s about being aware:

Privacy aware - Use, update, and care about your privacy settings. They are there to allow you to make the choice of what you want to share and with whom. Configure your privacy settings; they are there to tell the hosting organization, e.g. Facebook, what to share and with whom. Putting a privacy disclaimer notice on your wall, or in an email, spoof or not, will not have any effect on what the hosting platform shares.

Spam aware - Fact check before spreading the good word. If it is on the Internet, even from a reputable source, it may not be true. Remember those ‘Nigerian Prince’ spoof emails? Of course he was neither a Nigerian nor a prince, but rather a popular email scam. Or remember that email from your mom telling you she is stuck in on some island without her passport and she needs $10,000 dollars? A quick check on snopes.com usually will tell you if it is true or not.

Spoof aware - Don’t share links or “like” things on Facebook to win prizes. Most of the time when you see Disney saying they are giving away free cruises, or Target has a $500 gift card for you, or Bill Gates is going to send you $10 for every share that post gets – put on your logical cap; most likely, these offers are too good to be true. Offers like these are typically after personal information, or to get access to your social profile, or even share dangerous links with friends for a social engineering attack.

At the end of the day, the Facebook privacy disclaimer hoax is a lesson for all of us on personal privacy. Social media is like a wildfire for spreading information and the more we rely on digital venues to get our news, share updates with our family, share pictures, and for professional use, the more diligent we have to be in our understanding of what privacy is and the impact it can have. In the meantime, please, please, please go delete that paragraph long status off your wall and instead post a picture of your cute kids!

About the Author

Avani Desai the President at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more.